---- checkbox form, php, and mysql code will kill me for sure
LifeinAsia - 4:45 pm on Jul 14, 2011 (gmt 0)
$query = sprintf("SELECT * FROM findplantsdb WHERE Name='" . $_GET['pullname'] . "'"; $result= mysql_real_escape_string($query),
Seems rather weak to me... I'd rather do some sanitizing on GET['pullname'] before you build the query string.
Personally, I would reference data in findplantsdb by an INT field and use that value instead of the Name field. Then, all you need to do is verify that GET['pullname'] is an integer value- throw an error if anythign else.
Output $query to the screen- what is the value of the string?